|
FYI - I will be on vacation the week of August 29 returning to
the office Monday September 5.
MISCELLANEOUS CYBERSECURITY NEWS:
What if the onus of medical device security were shifted to
manufacturers? - The status quo of securing a vast, complex
ecosystem of medical devices has falls to healthcare providers, even
though some of the most equipped entities are unable to solve
systemic device challenges. But what if the responsibility was given
back to developers?
https://www.scmagazine.com/feature/device-security/what-if-the-onus-of-medical-device-security-were-shifted-to-manufacturers
Hardening and monitoring cloud configuration - The Center for
Internet Security defines system hardening as the “process of
limiting potential weaknesses that make systems vulnerable to cyber
attacks.” -
https://www.scmagazine.com/resource/cloud-security/hardening-and-monitoring-cloud-configuration
Lawmakers want to know how the health sector is fighting ransomware
- Sen. Angus King, I-Maine, and Rep. Mike Gallagher, R-Wis., are
calling for an urgent meeting with the Department of Health and
Human Services to operationalize collaboration throughout the
healthcare sector to defend against the ongoing threat of ransomware
attacks.
https://www.scmagazine.com/analysis/ransomware/lawmakers-want-to-know-how-the-health-sector-is-fighting-ransomware
How orchestration can accelerate the end of passwords - The
information industry is making a major push to improve identity and
access management protocols so that users can obtain the answers
they need swiftly and securely.
https://www.scmagazine.com/resource/identity-and-access/how-orchestration-can-accelerate-the-end-of-passwords
CYBERSECURITY ATTACKS, INTRUSIONS, DATA THEFT &
LOSS:
Cisco Confirms It's Been Hacked by Yanluowang Ransomware Gang -
Networking equipment major Cisco on Wednesday confirmed it was the
victim of a cyberattack on May 24, 2022 after the attackers got hold
of an employee's personal Google account that contained passwords
synced from their web browser.
https://thehackernews.com/2022/08/cisco-confirms-its-been-hacked-by.html
What Cisco did right: A CISO’s perspective on the breach - When a
company as massive and pervasive as Cisco announce a breach,
security professionals take notice, particularly in an era of supply
chain attacks that wreaked havoc for organizations across public and
private sector.
https://www.scmagazine.com/feature/incident-response/what-cisco-did-right-a-cisos-perspective-on-the-breach
7-Eleven Denmark confirms ransomware attack behind store closures -
7-Eleven Denmark has confirmed that a ransomware attack was behind
the closure of 175 stores in the country on Monday.
https://www.bleepingcomputer.com/news/security/7-eleven-denmark-confirms-ransomware-attack-behind-store-closures/
UK NHS service recovery may take a month after MSP ransomware attack
- Managed service provider (MSP) Advanced confirmed that a
ransomware attack on its systems disrupted emergency services (111)
from the United Kingdom's National Health Service (NHS).
https://www.bleepingcomputer.com/news/security/uk-nhs-service-recovery-may-take-a-month-after-msp-ransomware-attack/
Behavioral Health Group informs 198K patients of data theft from
December - Behavioral Health Group recently began notifying 197,507
patients that their data was stolen more than eight months ago
during a cyberattack.
https://www.scmagazine.com/analysis/breach/behavioral-health-group-informs-198k-patients-of-data-theft-from-december
Latest US Health Data Breaches Follow Worrisome Trends - Some 60
breaches affecting about 2.5 million individuals were added in July
to the federal tally of major health data breaches.
Press release -
https://www.govinfosecurity.com/latest-us-health-data-breaches-follow-worrisome-trends-a-19804
Cases Currently Under Investigation -
https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Florida Orthopaedic reaches $4M settlement over 2020 health data
theft - Florida Orthopaedic Institute reached a $4 million
settlement with the 647,000 patients affected by a server hack and
subsequent ransomware attack in 2020.
https://www.scmagazine.com/analysis/ransomware/florida-orthopaedic-reaches-4m-settlement-over-2020-health-data-theft
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 3 of 4)
Due Diligence in Selecting a Service Provider
Once the institution has completed the risk assessment,
management should evaluate service providers to determine their
ability, both operationally and financially, to meet the
institution’s needs. Management should convey the institution’s
needs, objectives, and necessary controls to the potential service
provider. Management also should discuss provisions that the
contract should contain. The appendix to this statement contains
some specific factors for management to consider in selecting a
service provider.
Contract Issues
Contracts between the institution and service provider should
take into account business requirements and key risk factors
identified during the risk assessment and due diligence phases.
Contracts should be clearly written and sufficiently detailed to
provide assurances for performance, reliability, security,
confidentiality, and reporting. Management should consider whether
the contract is flexible enough to allow for changes in technology
and the financial
institution's operations. Appropriate legal counsel should
review contracts prior to signing.
Institutions may encounter situations where service providers
cannot or will not agree to terms that the institution requests to
manage the risk effectively. Under these circumstances, institutions
should either not contract with that provider or supplement the
service provider’s commitments with additional risk mitigation
controls. The appendix to this statement contains some specific
considerations for management in contracting with a service
provider.
Return to
the top of the newsletter
FFIEC IT SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
PERSONNEL
SECURITY
AGREEMENTS: CONFIDENTIALITY, NON - DISCLOSURE, AND
AUTHORIZED USE
Financial institutions should protect the confidentiality of
information about their customers and organization. A breach in
confidentiality could disclose competitive information, increase
fraud risk, damage the institution's reputation, violate customer
privacy and associated rights, and violate regulatory requirements.
Confidentiality agreements put all parties on notice that the
financial institution owns its information, expects strict
confidentiality, and prohibits information sharing outside of that
required for legitimate business needs. Management should obtain
signed confidentiality agreements before granting new employees and
contractors access to information technology systems.
JOB DESCRIPTIONS
Job descriptions, employment agreements, and policy awareness
acknowledgements increase accountability for security. Management
can communicate general and specific security roles and
responsibilities for all employees within their job descriptions.
Management should expect all employees, officers, and contractors to
comply with security and acceptable use policies and protect the
institution's assets, including information. The job descriptions
for security personnel should describe the systems and processes
they will protect and the control processes for which they are
responsible. Management can take similar steps to ensure contractors
and consultants understand their security responsibilities as well.
TRAINING
Financial institutions need to educate users regarding their
security roles and responsibilities. Training should support
security awareness and should strengthen compliance with the
security policy. Ultimately, the behavior and priorities of senior
management heavily influence the level of employee awareness and
policy compliance, so training and the commitment to security should
start with senior management. Training materials would typically
review the acceptable - use policy and include issues like desktop
security, log - on requirements, password administration guidelines,
etc. Training should also address social engineering, and the
policies and procedures that protect against social engineering
attacks. Many institutions integrate a signed security awareness
agreement along with periodic training and refresher courses.
|
